# Vulnerability Summary: UERANSIM 3.2.7 DoS via Malformed RLS Packet (CVE-248) ## Vulnerability Overview - **Vulnerability ID**: #80026 - **CVE ID**: CVE-248 - **Vulnerability Type**: Remote Denial of Service (DoS) - **Trigger Condition**: Triggered by sending a malicious RLS (Radio Link Setup) UDP packet to the gNB's RLS listener (UDP port 4997). - **Root Cause**: When decoding an RLS packet, if the declared PDU length in the packet does not match the actual data size, the decoder calls the `readOctetString` function with an incorrect length parameter. This causes an exception to propagate to the top level, ultimately leading to the crash of the gNB process. ## Impact Scope - **Affected Software**: UERANSIM 3.2.7 - **Affected Component**: gNB RLS listener - **Attack Prerequisites**: - The attacker only needs UDP reachability. - No authentication or pre-connection establishment is required. - In Kubernetes infrastructure or shared cloud networks, attackers may deliver malicious payloads via Layer 3 access. - **Impact Consequences**: - The gNB process becomes completely unavailable. - All UEs connected to that gNB will lose connectivity until the gNB is restarted. - After restart, repeated attacks can cause the gNB to crash again. ## Remediation - **Current Status**: No fix patch has been provided yet. - **Coordinated Disclosure**: The reporter is contacting the UERANSIM maintainers to responsibly report this issue. - **POC Details**: Public POC details will be withheld until a fix is available. - **Related CVE**: This behavior is related to CVE-2024-37877, although CVE-2024-37877 primarily concerns malformed RLS PDU length issues in `DecoderRlsMessageObjectOctetString`. ## POC Code ```python # No specific POC code provided; only the attack principle and trigger conditions are described. ```